Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Nov 2005 19:56:09 +0100
From:      "Alexandre DELAY" <alexandre.delay@free.fr>
To:        "Chuck Swiger" <cswiger@mac.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: Protocol filter capabilities
Message-ID:  <MAEBLPAGHGPMOKCBICBNOEONCIAA.alexandre.delay@free.fr>
In-Reply-To: <4389FF8D.6050806@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I agree with you, but my aim is not to block traffic between my internal
network and the Internet.
I only want to filter (not block) certain protocols.

I found a nice tool for this:

http://freebsd.rogness.net/snort_inline/

-----Message d'origine-----
De : owner-freebsd-ipfw@freebsd.org
[mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger
Envoye : dimanche 27 novembre 2005 19:49
A : Alexandre DELAY
Cc : freebsd-ipfw@freebsd.org
Objet : Re: Protocol filter capabilities


Alexandre DELAY wrote:
[ ...top-posting reformatted... ]
>>> Don't you think that it would be a nice thing to be able to include such
>>> "filters" from, for example, ethereal? Ethereal support more than 34k
>>> different protocols. It woul be nice to be able to choose from those
>>> filters and to apply some rules according to those filters.
>>
>> You're talking about a reactive IDS. You can rig them up using scripts
>> which monitor logfiles, or something like /usr/ports/security/snort.
>>
>> However, I prefer to use IDS for traffic I permit but want to monitor,
not
>> traffic I already know I want to block.
>
> Snort doesn't answer to such needs.
> It is not able to analyze application protocols such as BEEP or Edonkey.
> See: http://www.snort.org/docs/writing_rules/
>
> filter application protocol based on ip/ports is not efficient. Some
> application are able to work on almost any port.

Snort is a tool.  It can be used to build an IDS and is well-suited for that
task, but it is not intended to entirely replace a firewall.

It is true that P2P application protocols are very adaptive and are able to
work via almost any port.  However, they do not work through a properly
configured proxy using a "deny all" firewall in what is called a DMZ or
screened subnet firewall architecture.

If your network is set up for this correctly, internal machines on the LAN
will
never be allowed to make external requests, at all (period); clients may
even
run without a default route set and without the firewall having NAT enabled.

--
-Chuck
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MAEBLPAGHGPMOKCBICBNOEONCIAA.alexandre.delay>